General
-
Target
NEAS.2110da33cfe1eaecd05be82b4717cd7381665f5c729a67c7671e612bae06fc24zip_JC.zip
-
Size
320B
-
Sample
231013-r59gasae3v
-
MD5
aa680f5e07148fdbef3e79ea07e11846
-
SHA1
535a87459f80f0f73ae6807a4c1b9999ec22c146
-
SHA256
2110da33cfe1eaecd05be82b4717cd7381665f5c729a67c7671e612bae06fc24
-
SHA512
af2e519ac8e482b8b80dad88ad63668a09ac6921c0da3598ccefddbf959e7cf5cfde4ad9a2cef3e9e2324febbe98c32c8f5796a6c29df51c6020e787a27aeeea
Malware Config
Extracted
gozi
Extracted
gozi
5050
fotexion.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
fotexion.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Targets
-
-
Target
Azienda.url
-
Size
193B
-
MD5
385b2d1cc0f48c9b113009619258b210
-
SHA1
2a956120277957bf6b11ec05568e148cb1c0bc7c
-
SHA256
589deb6665a90960cfbe3db62f3477f9a2087a2b2eb03d1a19ea69374a9eb34e
-
SHA512
a82d7f78c72d8ba1849473a7ac2536e1c332289fbdf11c6ea6f5de6f182208871a4ccb59a0f5facccdd6d0c78e9c9e10dcfe4aa067426fe0ce69358477364e18
Score10/10-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-